

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>Integrating Keycloak with RadosGW &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/_sphinx_javascript_frameworks_compat.js"></script>
        <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/doctools.js"></script>
        <script src="../../_static/sphinx_highlight.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="Session tags for Attribute Based Access Control in STS" href="../session-tags/" />
    <link rel="prev" title="STS Lite" href="../STSLite/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../../" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="../">Ceph 对象网关</a></li>
      <li class="breadcrumb-item active">Integrating Keycloak with RadosGW</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../../_sources/radosgw/keycloak.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../" class="icon icon-home"> Ceph
          

          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Ceph 对象网关</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../frontends/">HTTP 前端</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite/">多站配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../zone-features/">域的功能</a></li>
<li class="toctree-l2"><a class="reference internal" href="../placement/">存储池归置与存储类</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite-sync-policy/">多站同步策略配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pools/">存储池的配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-ref/">配置参考</a></li>
<li class="toctree-l2"><a class="reference internal" href="../admin/">管理指南</a></li>
<li class="toctree-l2"><a class="reference internal" href="../account/">用户账户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3/">S3 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../iam/">IAM API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rgw-cache/">数据缓存和 CDN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../swift/">Swift API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../adminops/">管理操作 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../api/">Python 接口</a></li>
<li class="toctree-l2"><a class="reference internal" href="../nfs/">通过 NFS 导出</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keystone/">与 OpenStack Keystone 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../barbican/">与 OpenStack Barbican 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vault/">与 HashiCorp Vault 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kmip/">与 KMIP 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../opa/">与 Open Policy Agent 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multitenancy/">多租户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../compression/">压缩</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ldap-auth/">LDAP 认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../encryption/">服务器端加密</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucketpolicy/">桶策略</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dynamicresharding/">动态的桶索引重分片</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mfa/">多因子认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sync-modules/">同步模块</a></li>
<li class="toctree-l2"><a class="reference internal" href="../notifications/">Bucket Notifications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../layout/">RADOS 中的数据布局</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STS/">STS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STSLite/">STS Lite</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Keycloak</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#setting-up-keycloak">Setting up Keycloak</a></li>
<li class="toctree-l3"><a class="reference internal" href="#configuring-keycloak-to-talk-to-rgw">Configuring Keycloak to talk to RGW</a></li>
<li class="toctree-l3"><a class="reference internal" href="#fetching-a-web-token-with-keycloak">Fetching a web token with Keycloak</a></li>
<li class="toctree-l3"><a class="reference internal" href="#adding-tags-to-a-user-in-keycloak">Adding tags to a user in Keycloak</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../session-tags/">Session Tags</a></li>
<li class="toctree-l2"><a class="reference internal" href="../role/">Role</a></li>
<li class="toctree-l2"><a class="reference internal" href="../orphans/">Orphan List and Associated Tooliing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../oidc/">OpenID Connect Provider</a></li>
<li class="toctree-l2"><a class="reference internal" href="../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw/">radosgw 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw-admin/">radosgw-admin 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../qat-accel/">使用 QAT 为加密和压缩提速</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3select/">S3-select</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lua-scripting/">Lua Scripting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../d3n_datacache/">D3N Data Cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-transition/">Cloud Transition</a></li>
<li class="toctree-l2"><a class="reference internal" href="../metrics/">Metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../uadk-accel/">UADK Acceleration for Compression</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucket_logging/">桶的日志记录</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../monitoring/">监控概览</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../hardware-monitoring/">硬件监控</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <section id="integrating-keycloak-with-radosgw">
<span id="radosgw-keycloak"></span><h1>Integrating Keycloak with RadosGW<a class="headerlink" href="#integrating-keycloak-with-radosgw" title="Permalink to this heading"></a></h1>
<p>If Keycloak is set up as an OpenID Connect Identity Provider, it can be used by
mobile apps and web apps to authenticate their users. By using the web token
returned by the authentication process, a mobile app or web app can call
AssumeRoleWithWebIdentity, receive a set of temporary S3 credentials, and use
those credentials to make S3 calls.</p>
<section id="setting-up-keycloak">
<h2>Setting up Keycloak<a class="headerlink" href="#setting-up-keycloak" title="Permalink to this heading"></a></h2>
<p>Documentation for installing and operating Keycloak can be found here:
<a class="reference external" href="https://www.keycloak.org/guides">https://www.keycloak.org/guides</a>.</p>
</section>
<section id="configuring-keycloak-to-talk-to-rgw">
<h2>Configuring Keycloak to talk to RGW<a class="headerlink" href="#configuring-keycloak-to-talk-to-rgw" title="Permalink to this heading"></a></h2>
<p>To configure Keycloak to talk to RGW, add the following configurables:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">client</span><span class="o">.</span><span class="n">radosgw</span><span class="o">.</span><span class="n">gateway</span><span class="p">]</span>
<span class="n">rgw</span> <span class="n">sts</span> <span class="n">key</span> <span class="o">=</span> <span class="p">{</span><span class="n">sts</span> <span class="n">key</span> <span class="k">for</span> <span class="n">encrypting</span><span class="o">/</span> <span class="n">decrypting</span> <span class="n">the</span> <span class="n">session</span> <span class="n">token</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">s3</span> <span class="n">auth</span> <span class="n">use</span> <span class="n">sts</span> <span class="o">=</span> <span class="n">true</span>
</pre></div>
</div>
</section>
<section id="fetching-a-web-token-with-keycloak">
<h2>Fetching a web token with Keycloak<a class="headerlink" href="#fetching-a-web-token-with-keycloak" title="Permalink to this heading"></a></h2>
<p>Several examples of apps authenticating with Keycloak can be found here:
<a class="reference external" href="https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md">https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md</a>.</p>
<p>Here you might consider the example of the app-profile-jee-jsp app (in the link
above). To fetch the access token (web token) for such an application using the
grant type ‘client_credentials’, one can use client id and client secret as
follows:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>KC_REALM=demo
KC_CLIENT=&lt;client id&gt;
KC_CLIENT_SECRET=&lt;client secret&gt;
KC_SERVER=&lt;host&gt;:8080
KC_CONTEXT=auth

# Request Tokens for credentials
KC_RESPONSE=$( \
curl -k -v -X POST \
-H &quot;Content-Type: application/x-www-form-urlencoded&quot; \
-d &quot;scope=openid&quot; \
-d &quot;grant_type=client_credentials&quot; \
-d &quot;client_id=$KC_CLIENT&quot; \
-d &quot;client_secret=$KC_CLIENT_SECRET&quot; \
&quot;http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token&quot; \
| jq .
)

KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
</pre></div>
</div>
<p>It is also possible to fetch an access token for a particular user with the
grant type ‘password’. To fetch such an access token, use client id, client
secret, username, and password as follows:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span> KC_REALM=demo
 KC_USERNAME=&lt;username&gt;
 KC_PASSWORD=&lt;userpassword&gt;
 KC_CLIENT=&lt;client id&gt;
 KC_CLIENT_SECRET=&lt;client secret&gt;
 KC_SERVER=&lt;host&gt;:8080
 KC_CONTEXT=auth

# Request Tokens for credentials
 KC_RESPONSE=$( \
 curl -k -v -X POST \
 -H &quot;Content-Type: application/x-www-form-urlencoded&quot; \
 -d &quot;scope=openid&quot; \
 -d &quot;grant_type=password&quot; \
 -d &quot;client_id=$KC_CLIENT&quot; \
 -d &quot;client_secret=$KC_CLIENT_SECRET&quot; \
 -d &quot;username=$KC_USERNAME&quot; \
 -d &quot;password=$KC_PASSWORD&quot; \
 &quot;http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token&quot; \
 | jq .
 )

 KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
</pre></div>
</div>
<p><code class="docutils literal notranslate"><span class="pre">KC_ACCESS_TOKEN</span></code> can be used to invoke <code class="docutils literal notranslate"><span class="pre">AssumeRoleWithWebIdentity</span></code>: see
<a class="reference internal" href="../STS/"><span class="doc">STS in Ceph</span></a>.</p>
</section>
<section id="adding-tags-to-a-user-in-keycloak">
<h2>Adding tags to a user in Keycloak<a class="headerlink" href="#adding-tags-to-a-user-in-keycloak" title="Permalink to this heading"></a></h2>
<p>To create a user in Keycloak and add tags to it as its attributes, follow these
steps:</p>
<ol class="arabic">
<li><p>Add a user:</p>
<img alt="../../_images/keycloak-adduser.png" class="align-center" src="../../_images/keycloak-adduser.png" />
</li>
<li><p>Add user details:</p>
<img alt="../../_images/keycloak-userdetails.png" class="align-center" src="../../_images/keycloak-userdetails.png" />
</li>
<li><p>Add user credentials:</p>
<img alt="../../_images/keycloak-usercredentials.png" class="align-center" src="../../_images/keycloak-usercredentials.png" />
</li>
<li><p>Add tags to the ‘attributes’ tab of the user:</p>
<img alt="../../_images/keycloak-usertags.png" class="align-center" src="../../_images/keycloak-usertags.png" />
</li>
<li><p>Add a protocol mapper that maps the user attribute to a client:</p>
<img alt="../../_images/keycloak-userclientmapper.png" class="align-center" src="../../_images/keycloak-userclientmapper.png" />
</li>
</ol>
<p>After these steps have been completed, the tag ‘Department’ will appear in the
JWT (web token), under the ‘<a class="reference external" href="https://aws.amazon.com/tags">https://aws.amazon.com/tags</a>’ namespace.</p>
<p>Tags can be verified by performing token introspection on a JWT. To introspect
a token, use <code class="docutils literal notranslate"><span class="pre">client</span> <span class="pre">id</span></code> and <code class="docutils literal notranslate"><span class="pre">client</span> <span class="pre">secret</span></code> as follows:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">KC_REALM</span><span class="o">=</span><span class="n">demo</span>
<span class="n">KC_CLIENT</span><span class="o">=&lt;</span><span class="n">client</span> <span class="nb">id</span><span class="o">&gt;</span>
<span class="n">KC_CLIENT_SECRET</span><span class="o">=&lt;</span><span class="n">client</span> <span class="n">secret</span><span class="o">&gt;</span>
<span class="n">KC_SERVER</span><span class="o">=&lt;</span><span class="n">host</span><span class="o">&gt;</span><span class="p">:</span><span class="mi">8080</span>
<span class="n">KC_CONTEXT</span><span class="o">=</span><span class="n">auth</span>

<span class="n">curl</span> <span class="o">-</span><span class="n">k</span> <span class="o">-</span><span class="n">v</span> \
<span class="o">-</span><span class="n">X</span> <span class="n">POST</span> \
<span class="o">-</span><span class="n">u</span> <span class="s2">&quot;$KC_CLIENT:$KC_CLIENT_SECRET&quot;</span> \
<span class="o">-</span><span class="n">d</span> <span class="s2">&quot;token=$KC_ACCESS_TOKEN&quot;</span> \
<span class="s2">&quot;http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect&quot;</span> \
<span class="o">|</span> <span class="n">jq</span> <span class="o">.</span>
</pre></div>
</div>
</section>
</section>



<div id="support-the-ceph-foundation" class="admonition note">
  <p class="first admonition-title">Brought to you by the Ceph Foundation</p>
  <p class="last">The Ceph Documentation is a community resource funded and hosted by the non-profit <a href="https://ceph.io/en/foundation/">Ceph Foundation</a>. If you would like to support this and our other efforts, please consider <a href="https://ceph.io/en/foundation/join/">joining now</a>.</p>
</div>


           </div>
           
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="../STSLite/" class="btn btn-neutral float-left" title="STS Lite" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../session-tags/" class="btn btn-neutral float-right" title="Session tags for Attribute Based Access Control in STS" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).</p>
  </div>

   

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>